How to use Windows 7 system firewall configuration

Windows XP integrated firewalls are often regarded as chicken ribs, but the powerful functions of windows 7 firewall also have a taste of "professional. Let's take a look at how to use the WIN7 firewall.

Similar to Vista, you can use the access control panel program to perform basic configuration for Windows 7 firewall. Different from Vista, you can also configure the access control panel in advanced settings, including the configuration of the outbound connection filter ), instead of creating a blank MMC and adding an embedded Management Unit. Click the advanced configuration option in the left-side pane.

The Vista Firewall allows you to choose whether to use a public grid or a private network. In Windows 7, you have three options: public network, home network, and office network. The last two options are the refinement of the private network.

If you select the "home network" option, you can create a "home group ". In this environment, network discovery is automatically started. You can see other computers and devices on the network, and they can also see your computer. Computers affiliated with the home group can share pictures, music, videos, document libraries, and hardware devices such as printers. If you have folders that you do not want to share in the document library, you can exclude them.

If you select "Work Network", "network discovery" will also start automatically, but you will not be able to create or join the "home group ". If your computer is added to a Windows domain, go through the control panel-system and security-system-Advanced System Configuration-computer name tab) and pass DC verification, the firewall automatically identifies the network type as a domain environment network.

The "Public Network" type is the proper option when you connect public Wi-Fi networks at airports, hotels, coffee shops or using mobile broadband networks. network discovery will be disabled by default, in this way, the computing machines in other networks will not find your shares, and you will not be able to create or join the "family group ".

In all network modes, Windows 7 firewall intercepts any connections sent to applications not in the whitelist by default. Windows 7 allows you to configure different network types separately.

Multi-Role firewall policy

In Vista, although you have two configuration files: public network and private network, only one configuration file takes effect within the specified time. So if your computer is connected to two different networks at the same time, you will be unlucky. The strictest configuration file will be connected to all connections by users, which means you may not be able to use it locally, because you are running on a public network under a rule. In Windows 7 (and Server 2008 R2), different configuration files can be used on different network adapters. That is to say, the network connections between private networks are subject to the rules of private networks, while the traffic between private networks is subject to the rules of public networks.

What works is the inconspicuous things.

In many cases, better availability often depends on small changes. MS listens to users' opinions and adds some "inconspicuous and useful things" to Windows 7 firewall. For example, when creating a firewall rule in Vista, you must list the IP addresses and ports respectively. Now you only need to specify a range, which greatly shortens the time used to execute common management tasks.

You can also create Connection Security Rules in the firewall console) to specify which ports or protocols need to use IPsec instead of using the netsh command, for those who like the GUI, this is a more convenient improvement.

Connection Security Rules (Connection Security Rules) also supports dynamic encryption. This means that if the server receives an unencrypted but verified message from the client, the Security Association will require encryption through the agreed "running, to establish safer communications.

Configure the configuration file in "Advanced Settings"

With the "Advanced Settings" control panel, you can set the configuration file for each network type.

You can set the configuration file as follows:

* Enable/disable Firewall

* Intercept, intercept all connections, or allow inbound connections

* Allow or intercept) Outbound Connections

* Whether to notify you after a program is intercepted) Notification display

* Allows unicast to respond to multicast or broadcast requests.

* In addition to group policy firewall rules, local administrators are allowed to create and apply local firewall rules.

Use netsh.exe to configure the system firewall

(1). View, enable or disable system firewall

Open the command prompt, enter the command "netsh firewallshow state", and press enter to view the firewall status. The display result shows the disabling and enabling of each functional module of the firewall. The "netsh firewall set opmode disable" command is used to disable the system firewall. The opposite command is "netsh firewall set opmode enable" to enable the firewall.

(2). Allow file and print sharing

Files and printers are commonly used in LAN sharing. To allow clients to access shared files or printers on the local machine, enter and execute the following commands:

Netsh firewall add portopening UDP 137 Netbios-ns

(Allow the client to access port 137 of the UDP protocol on the server)

Netsh firewall add portopening UDP 138 Netbios-dgm

(Allow access to UDP port 138)

Netsh firewall add portopening TCP 139 Netbios-ssn

(Allow access to TCP port 139)

Netsh firewall add portopening TCP 445 Netbios-ds

(Allow access to TCP port 445)

After the command is executed, all files and the ports required for file sharing are opened by the firewall.

(3). Allow ICMP echo

By default, external hosts are not allowed to Ping Windows 7 for security reasons. However, in a secure LAN environment, the Ping test is necessary for the Administrator to test the network. How can I allow the ping test echo on Windows 7?

Of course, through the system firewall console you can set the file and print share (echo request-ICMPv4-In) rule in inbound rules to allow (if the network uses IPv6, the rule that allows the ICMPv6-In at the same time .). However, we can use the netsh command in the command line to quickly implement it. Run the "netsh firewall set icmpsetting 8" command to Enable ICMP Echo. Otherwise, Run "netsh firewall set icmpsetting 8 disable" to disable the echo.